Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Natting

    HI

I want to configure two natting statment with my sinlge local IP for my mail Server. Is it possible to create another router with same local ip for another extenal IP. I am using ASA 5505.

Right now I have


static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.49 netmask 255.255.255.255


static (inside,outside) yyy.yyy.yyy.yyy  192.168.12.49 netmask 255.255.255.255  ( I want to do like this)

Thanks

Amardeep Rana

20 REPLIES
Silver

Re: Natting

No. I think it will complain about duplicate entries to the first static when u try to enter the second static command.

Cisco Employee

Re: Natting

this will not be possible you can map ports if you have specific example

for example

static (inside,outside) tcp xxx.xxx.xxx.xxx 25 192.168.12.49 25 netmask 255.255.255.255
static (inside,outside) tcp yyy.yyy.yyy.yyy  22 192.168.12.49 22 netmask 255.255.255.255

but just curious, wouldnt your server complain of ip conflict in your internal network as 2 devices have the same ip

New Member

Re: Natting

HI

I have only one server with local ip of 192.168.12.49. But I want to create two nat route with this and I get the error of

duplicity..

Thanks

Amardeep Rana

New Member

Re: Natting

HI

Yes , You are right , this is giving me same error og duplcity.

So you mean , I am not able to map single local IP to my another two external IP.

Any Idea , I can do it..

Thanks

Amardeep Rana

Cisco Employee

Re: Natting

as i said the only option is static pat wherein you can map specific ports

the reason is simple when the server is sending a packet out it will not know which public ip to use

can you elaborate more on what service this host is running

whether the 2 ip's need to be translated on the same interface

why exactly do you need to translate it to 2 ip's unless the server is running 2 services

New Member

Re: Natting

HI

This is my mail server.And I want to put it up everytime. Some time what happens my primary ISP goes down so I have to roll over on Backup iSP. So I want to map the same server on two ISP external IP. So that server can be up everytime.

Thanks

Amardeep Rana

Cisco Employee

Re: Natting

Hello,

Are both your ISP's connected to same outside interface? If yes, my earlier

post has the configuration example that will achieve what you are looking

for. If they are on different interface of the firewall, then you need not

have to worry about duplicate entries and just configure normal static NAT.

static (inside,ISP1) xxx.xxx.xxx.xxx 192.168.12.49 netmask 255.255.255.255

static (inside,ISP2) yyy.yyy.yyy.yyy 192.168.12.49 netmask 255.255.255.255

The firewall will choose the static based on the outgoing interface.

Hope this helps.

Regards,

NT

New Member

Re: Natting

HI Nagaraja Thanthry,,

I think your answer worked for me and I was able to make two route. But As I created second route, My internet stop working.

static (inside,ISP2) yyy.yyy.yyy.yyy 192.168.12.49 netmask 255.255.255.255 , As I put this command, My first entry stop working, Internet was not working on the same server which IP I am using for two routes. To resolve the issue I have to remove both of the entry from ASA and map another IP to my mail server and after it start running. 192.168.12.49 server stop

running after my sesond static command.

I tried clear xlate but in vain.

Please suggest

Thanks

Cisco Employee

Re: Natting

if you have 2 isp's then i would assume you have 2 interfaces as well connected to internet

http://www.cisco.biz/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

the above doc shows how the ideal scenario is for dual isp

Cisco Employee

Re: Natting

Hello,

You can use policy-nat.

access-list PNAT1 permit ip host 192.168.12.49 any

access-list PNAT2 permit ip host 192.168.12.49 any

static (inside,outside) xxx.xxx.xxx.xxx access-list PNAT1

static (inside,outside) yyy.yyy.yyy.yyy access-list PNAT2

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

Hope this helps.

Regards,

NT

New Member

Re: Natting

HI

Let me try with this configration. I will update it soon.

Thanks

Amardeep Rana

New Member

Re: Natting

HI

I have a A records on Godaddy for my some of the servers. I have created natting lcoal IP to external IP and I access those servers via Name. What I have made some change on ASA 5505 after that none of the IP was pinging outside. I have to change all of my static routes to different IPs. after they are runnging. Is there any issue second ISP router can create. What is roll of Xlate . Please suggest , I dont have much IP in my Pool. Please help

Thanks

Amardeep K

Cisco Employee

Re: Natting

Hello,

Can you please post the output of "show run interface", "show run static", and "show run route" here? You can sanitize your IP addresses if you like.

Regards,

NT

New Member

Re: Natting

HI

Output of these three Commands

ciscoasa(config)# sh run interface

!

interface Vlan1

nameif inside

security-level 100

ip address Local IP 255.255.254.0

!

interface Vlan2

nameif outside

security-level 0

ip address Extrenal 255.255.255.224

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 22

sh run static

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.62 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.59 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.100 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.41 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.49 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx exchange01 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.65 netmask 255.255.255.255

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.19 netmask 255.255.255.255 

( I have to recreate all static again , AS I was not able to access them after Daul ISP setup Or after putting this command

static (inside,ISP2) yyy.yyy.yyy.yyy 192.168.12.49 netmask 255.255.255.255.

show run route

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 track 1

Thanks

Amardeep Rana

Cisco Employee

Re: Natting

Hello,

Did you have another interface (Vlan 22) named ISP2? Did you by any chance

used "backup-interface" configuration on the firewall? Can you please post

the configuration with the second ISP interface here?

Regards,

NT

New Member

Re: Natting

Hi ,

I have used this config but As I got issue I rebooted my ASA .

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 1
ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif primary-isp
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address Primary ISP Exteral IP 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif backup-isp
ASA5505(config-if)# security-level 1
ASA5505(config-if)# ip address Backup Isp 2 255.255.255.0
ASA5505(config-if)# no shutdown

ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 Primary ISP Exteral IP 1
ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 Backup    (Isp )

Check also

nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 track 1

route backup-isp 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx  2

global (backupisp) 1 interface

access-group 10 in interface backupisp

Finally I put this command

static (inside,backup-isp) yyy.yyy.yyy.yyy 192.168.12.49 netmask 255.255.255.255

Thanks

Amardeep K

Cisco Employee

Re: Natting

Hello,

I see that there are no NAT rules for the primary interface in your

configuration. Let's try the following:

ASA5505(config)# interface ethernet 0/0

ASA5505(config-if)# switchport access vlan 2

ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/1

ASA5505(config-if)# switchport access vlan 1

ASA5505(config-if)# no shutdown

ASA5505(config)# interface ethernet 0/2

ASA5505(config-if)# switchport access vlan 3

ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 1

ASA5505(config-if)# nameif inside

ASA5505(config-if)# security-level 100

ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0

ASA5505(config-if)# no shutdown

ASA5505(config)# interface vlan 2

ASA5505(config-if)# nameif primary-isp

ASA5505(config-if)# security-level 0

ASA5505(config-if)# ip address Primary ISP Exteral IP 255.255.255.0

ASA5505(config-if)# no backup interface vlan 3

New Member

Re: Natting

Hi NJ,

I will try your Configration in off hours. But please explain it. last command. When there is not Vlan 3 in my config.

ASA5505(config)# interface vlan 2

ASA5505(config-if)# nameif primary-isp

ASA5505(config-if)# security-level 0

ASA5505(config-if)# ip address Primary ISP Exteral IP 255.255.255.0

ASA5505(config-if)# no backup interface vlan 3

Here I want to know that what will be the reason I had to change all the static routes. and new records are running ,

Suppose I had below static before.

static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.56 netmask 255.255.255.2     ( This was running before , I setup for Daul ISP)
static (inside,outside) xxx.xxx.xxx.xxx 192.168.12.77 netmask 255.255.255.2     (( This was running before , I setup for Daul ISP)

But I did not saving anthing on ASA and reboot it. After reboot both of uper static did not run. I tried xlate. But.....

Then I have to create new static and then I was able to access with new IP.


static (inside,outside) yyy.yyy.yyy.yyy 192.168.12.56 netmask 255.255.255.2 
static (inside,outside) yyy.yyy.yyy.yyy 192.168.12.77 netmask 255.255.255.2

Please help

Thanks

Amardeep Rana

Cisco Employee

Re: Natting

Hello,

The issue could be that the ISP router had wrong ARP entry for those IP

addresses. You might want to reboot your ISP router (or talk to them and

have them flush their ARP cache).

Hope this helps.

Regards,

NT

New Member

Re: Natting

HI NT,

I have a Router 1841 that is given by ISP to terminate the link and they handle this router their self. I have rebooted that router. but after that I am again not able to access old IP series. I mean when I create a nat route from local to Live ip. this does not work. Please help ..

Thanks

Amardeep Rana

732
Views
0
Helpful
20
Replies
CreatePlease login to create content